fix: use private helcimApiToken for all server-side Helcim API calls

2026-04-04 13:37:34 +01:00 · 2026-04-04 13:37:34 +01:00 · d31b5b4dac
commit d31b5b4dac
parent ccd1d0783a
53 changed files with 1755 additions and 572 deletions
--- a/server/api/helcim/create-plan.post.js
+++ b/server/api/helcim/create-plan.post.js
@ -7,7 +7,7 @@ export default defineEventHandler(async (event) => {
    const config = useRuntimeConfig(event)
    const body = await validateBody(event, helcimCreatePlanSchema)

-    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
+    const helcimToken = config.helcimApiToken


    const response = await fetch(`${HELCIM_API_BASE}/payment-plans`, {
--- a/server/api/helcim/customer-code.get.js
+++ b/server/api/helcim/customer-code.get.js
@ -45,7 +45,7 @@ export default defineEventHandler(async (event) => {
      })
    }

-    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
+    const helcimToken = config.helcimApiToken

    const response = await fetch(
      `${HELCIM_API_BASE}/customers/${member.helcimCustomerId}`,
--- a/server/api/helcim/customer.post.js
+++ b/server/api/helcim/customer.post.js
@ -21,7 +21,7 @@ export default defineEventHandler(async (event) => {
    }

    // Get token directly from environment if not in config
-    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
+    const helcimToken = config.helcimApiToken
    
    if (!helcimToken) {
      throw createError({
--- a/server/api/helcim/get-or-create-customer.post.js
+++ b/server/api/helcim/get-or-create-customer.post.js
@ -38,7 +38,7 @@ export default defineEventHandler(async (event) => {
      })
    }

-    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
+    const helcimToken = config.helcimApiToken

    // First, search for existing customer
    try {
--- a/server/api/helcim/initialize-payment.post.js
+++ b/server/api/helcim/initialize-payment.post.js
@ -5,16 +5,16 @@ const HELCIM_API_BASE = "https://api.helcim.com/v2";

 export default defineEventHandler(async (event) => {
  try {
-    await requireAuth(event);
    const config = useRuntimeConfig(event);
    const body = await validateBody(event, helcimInitializePaymentSchema);

-
-    const helcimToken =
-      config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN;
-
-    // Determine payment type based on whether this is for a subscription or one-time payment
+    // Event ticket purchases can be made without authentication
    const isEventTicket = body.metadata?.type === "event_ticket";
+    if (!isEventTicket) {
+      await requireAuth(event);
+    }
+
+    const helcimToken = config.helcimApiToken;
    const amount = body.amount || 0;

    // For event tickets with amount > 0, we do a purchase
--- a/server/api/helcim/plans.get.js
+++ b/server/api/helcim/plans.get.js
@ -5,7 +5,7 @@ export default defineEventHandler(async (event) => {
  try {
    await requireAdmin(event)
    const config = useRuntimeConfig(event)
-    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
+    const helcimToken = config.helcimApiToken
    
    const response = await fetch(`${HELCIM_API_BASE}/payment-plans`, {
      method: 'GET',
--- a/server/api/helcim/subscription.post.js
+++ b/server/api/helcim/subscription.post.js
@ -157,7 +157,7 @@ export default defineEventHandler(async (event) => {
    }

    // Try to create subscription in Helcim
-    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
+    const helcimToken = config.helcimApiToken
    
    // Generate a proper alphanumeric idempotency key (exactly 25 characters)
    const chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
--- a/server/api/helcim/subscriptions.get.js
+++ b/server/api/helcim/subscriptions.get.js
@ -5,7 +5,7 @@ export default defineEventHandler(async (event) => {
  try {
    await requireAdmin(event)
    const config = useRuntimeConfig(event)
-    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
+    const helcimToken = config.helcimApiToken
    
    const response = await fetch(`${HELCIM_API_BASE}/subscriptions`, {
      method: 'GET',
--- a/server/api/helcim/update-billing.post.js
+++ b/server/api/helcim/update-billing.post.js
@ -11,7 +11,7 @@ export default defineEventHandler(async (event) => {

    const { billingAddress } = body

-    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
+    const helcimToken = config.helcimApiToken
    
    // Update customer billing address in Helcim
    const response = await fetch(`${HELCIM_API_BASE}/customers/${body.customerId}`, {
--- a/server/api/helcim/verify-payment.post.js
+++ b/server/api/helcim/verify-payment.post.js
@ -11,7 +11,7 @@ export default defineEventHandler(async (event) => {
    const config = useRuntimeConfig(event)
    const body = await validateBody(event, paymentVerifySchema)

-    const helcimToken = config.public.helcimToken || process.env.NUXT_PUBLIC_HELCIM_TOKEN
+    const helcimToken = config.helcimApiToken

    if (!helcimToken) {
      throw createError({